Unrated severityNVD Advisory· Published Oct 2, 2018· Updated Aug 5, 2024

CVE-2018-17886

Description

An issue was discovered in JEESNS 1.3. The XSS filter in com.lxinet.jeesns.core.utils.XssHttpServletRequestWrapper.java could be bypassed, as demonstrated by a <svg/onLoad=confirm substring. NOTE: this vulnerability exists because of an incomplete fix for CVE-2018-12429.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

JEESNS 1.3 XSS filter incomplete fix allows bypass via <svg/onLoad=confirm to execute arbitrary JavaScript.

Vulnerability

JEESNS 1.3 contains a stored cross-site scripting (XSS) vulnerability in the XSS filter implemented in com.lxinet.jeesns.core.utils.XssHttpServletRequestWrapper.java. The filter attempts to sanitize user input using a blacklist approach, but the fix for CVE-2018-12429 is incomplete. The filter only replaces specific event handlers like onclick and onload with a prefixed underscore, but fails to block variations in case or spacing (e.g., onLoad instead of onload). It also does not filter `` tags or other event attributes. The vulnerable code is present in JEESNS version 1.3 [1].

Exploitation

An authenticated attacker can exploit this vulnerability by posting a new article containing a crafted payload. The attacker simply registers an account, signs in, and creates a new article. The payload uses a ` tag with an onLoad attribute (mixed case) to bypass the blacklist, for example: <svg/onLoad=confirm(document.cookie)>`. When the article is viewed by the target (including administrators), the JavaScript executes without any additional user interaction. No special network position or race condition is required [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to theft of session cookies, defacement of the application, or other client-side attacks. The attacker can gain access to sensitive information visible through the victim's session, effectively compromising the confidentiality and integrity of the application for that user [1].

Mitigation

As of the publication of this CVE (2018-10-02), no official patch from the JEESNS project has been confirmed to fully address the bypass. The developer had previously attempted to fix CVE-2018-12429, but this incomplete fix led to this new vulnerability. Users should monitor the JEESNS project for a security update that implements a more robust XSS prevention mechanism, such as context-aware output encoding and a whitelist-based approach. No workaround is available from the vendor. This CVE is not listed in CISA's Known Exploited Vulnerabilities catalog [1].

References

CVE/jeesns/jeesns-1.3-xss-filter-bypass.md at master · Jayl1n/CVE

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Jeesns/Jeesnsllm-fuzzy
Range: = 1.3

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/Jayl1n/CVE/blob/master/jeesns/jeesns-1.3-xss-filter-bypass.mdmitrex_refsource_MISC

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000